Renew SSL without 443 is tedios works , renew SSL with DNS, copy the certificates to Hestiacp Panel to renew every 30 days
Recently I try to make this as script and cron job to do it automatically. But it does’t work quite well. SSL ERROR SHOWING AT BROWSWE address bar, I guess is not copy the file from “/etc/letsencrypt/live/domain.com/*” to “/home/hestiacpuser/conf/web/domain.com/ssl/” correspondingly,
Any Suggestion on this code? this is not a commond way to renew SSL, mostly use case for Homelab Server, not Most user required this.
Here is my requirement:
I have a ubuntut server with HestiaCP(web control panel)Ngnix + Apache + PHP, because my server does not have port 443 Open, So I need to get the certificate by DNS, I already did DNS and TXT on Cloudflare DNS Manager, All I need to do is run this code every 89 Days by cron job
Can you write me a script(.sh) and Crond job runs under user root?
My email is “[email protected]”
Ubuntu server user is “hetiacpuser”
the script save in “/home/admin/renew-ssl-mydomain.sh”
First need to run certbot
<sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.mydomain.com -d mydomain.com>
this command would promt the confirmation as below
"What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):"
I would only need renew & replace every time i run this command.
Secondly copy the certificate files to domain
under folder “/home/brillor/conf/web/” has domains
1. mydomain.com
2. subdomain01.mydomain.com
3. subdomain02.mydomain.com
4. subdomain03.mydomain.com
5. subdomain04.mydomain.com
6. subdomain05.mydomain.com
7. subdomain06.mydomain.com
Example what should be copy
*For mydomain.com I need to copy the contents from *
“/etc/letsencrypt/live/mydomain.com/fullchain.pem” to “/home/hetiacpuser/conf/web/mydomain.com/ssl/mydomain.com.pem”
“/etc/letsencrypt/live/mydomain.com/privkey.pem” to “/home/hetiacpuser/conf/web/mydomain.com/ssl/mydomain.com.key”
“/etc/letsencrypt/live/mydomain.com/cert.pem” to “/home/hetiacpuser/conf/web/mydomain.com/ssl/mydomain.com.crt”
“/etc/letsencrypt/live/mydomain.com/chain.pem” to “/home/hetiacpuser/conf/web/mydomain.com/ssl/mydomain.com.ca”
For files.mydomain.com I need to copy the contents from
“/etc/letsencrypt/live/mydomain.com/fullchain.pem” to “/home/hetiacpuser/conf/web/files.mydomain.com/ssl/mydomain.com.pem”
“/etc/letsencrypt/live/mydomain.com/privkey.pem” to “/home/hetiacpuser/conf/web/files.mydomain.com/ssl/mydomain.com.key”
“/etc/letsencrypt/live/mydomain.com/cert.pem” to “/home/hetiacpuser/conf/web/files.mydomain.com/ssl/mydomain.com.crt”
“/etc/letsencrypt/live/mydomain.com/chain.pem” to “/home/hetiacpuser/conf/web/files.mydomain.com/ssl/mydomain.com.ca”
…
and rest of the domain do the same
#######################################
And here is my script
#!/bin/bash
#
# Script to renew Let's Encrypt wildcard certificates and copy them to HestiaCP domains.
# This script should be run as root.
# --- Configuration ---
# A list of all domains that will use the wildcard certificate.
# Add or remove domains from this list as needed.
DOMAINS=(
"mydomain.com"
"subdomain01.mydomain.com"
"subdomain02.mydomain.com"
"subdomain03.mydomain.com"
"subdomain04.mydomain.com"
"subdomain05.mydomain.com"
"subdomain06.mydomain.com"
)
# The primary domain name used for the Let's Encrypt certificate.
# This should match the name of the directory in /etc/letsencrypt/live/
LE_DOMAIN="mydomain.com"
# The HestiaCP user who owns the domains.
HESTIA_USER="hestiacpuser"
# The base directory where HestiaCP stores web domain configurations.
HESTIA_WEB_DIR="/home/${HESTIA_USER}/conf/web"
# The source directory for the renewed Let's Encrypt certificates.
LE_CERT_DIR="/etc/letsencrypt/live/${LE_DOMAIN}"
# The destination filenames required by HestiaCP.
# Using 'mydomain.com' as the base name for the cert files.
DEST_PEM_FILE="mydomain.com.pem"
DEST_KEY_FILE="mydomain.com.key"
DEST_CRT_FILE="mydomain.com.crt"
DEST_CA_FILE="mydomain.com.ca"
# --- Script Logic ---
# Exit immediately if a command exits with a non-zero status.
set -e
echo "----------------------------------------"
echo "Starting Let's Encrypt renewal process at $(date)"
echo "----------------------------------------"
# Step 1: Renew the certificate.
# 'certbot renew' is the standard command for automation. It will only renew if the
# certificate is close to expiring. We use '--force-renewal' to ensure it runs
# when this script is executed. This is more reliable than scripting the
# interactive 'certonly' command.
# It will use the settings from your initial certificate generation, including the auth hook.
echo "Attempting to renew certificate for ${LE_DOMAIN}..."
sudo certbot renew --force-renewal
echo "Certificate renewed successfully."
echo ""
# Step 2: Copy the renewed certificate files to each domain's SSL directory.
echo "Copying new certificate files to HestiaCP domains..."
for domain in "${DOMAINS[@]}"; do
DEST_SSL_DIR="${HESTIA_WEB_DIR}/${domain}/ssl"
# Check if the destination directory exists
if [ -d "${DEST_SSL_DIR}" ]; then
echo " - Copying files for ${domain}"
# --- UPDATED FILE MAPPING ---
# Copy fullchain.pem to both the .pem and .crt files to ensure the full
# certificate chain is provided, which prevents common SSL errors.
sudo cp "${LE_CERT_DIR}/fullchain.pem" "${DEST_SSL_DIR}/${DEST_PEM_FILE}"
sudo cp "${LE_CERT_DIR}/privkey.pem" "${DEST_SSL_DIR}/${DEST_KEY_FILE}"
sudo cp "${LE_CERT_DIR}/fullchain.pem" "${DEST_SSL_DIR}/${DEST_CRT_FILE}" # Changed from cert.pem
sudo cp "${LE_CERT_DIR}/chain.pem" "${DEST_SSL_DIR}/${DEST_CA_FILE}"
echo " Files for ${domain} copied successfully."
else
echo " - WARNING: SSL directory not found for ${domain} at ${DEST_SSL_DIR}. Skipping."
fi
done
echo ""
echo "All certificate files have been copied."
echo ""
# Step 3: Reload web servers to apply the new certificates.
# HestiaCP uses both Nginx and Apache, so we reload both.
echo "Reloading Nginx and Apache2 to apply new certificates..."
sudo systemctl reload nginx
sudo systemctl reload apache2
echo "Web servers reloaded successfully."
echo ""
echo "----------------------------------------"
echo "Certificate renewal and deployment finished at $(date)"
echo "----------------------------------------"
exit 0